This article is more than 1 year old
Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file
Security quiz site created by advisors includes inadvertent bonus round
Updated A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking.
The site, found at the insecure non-HTTPS URL
http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and password for the site's mySQL database.
The site invites visitors to "Test Your Hacker IQ" by entering a username. It then poses a series of multiple choice questions about techniques employed by hackers to obtain corporate information. The quiz doesn't cover the possibility of publicly exposed passwords.
The blunder was spotted on Wednesday by Tillie Kottmann, a Switzerland-based IT consultant and developer who uses the handle deletescape. The website was taken down on Wednesday.
hey @Deloitte, what exactly is my hacker IQ now? pic.twitter.com/Bqv25kdDsU— Tillie Kottmann 💛🤍💜🖤 (@antiproprietary) November 4, 2020
Kottmann in August published leaked Intel technical materials as well as SonarQube source code.
deloittehackeriq.com domain was registered by Tank Design, a Massachusetts-based digital marketing firm, in 2015 and the site includes a 2015 Deloitte Development LLC copyright notice.
Kottmann told The Register that the last commit to its .git repo was in 2017 and said it's not clear how actively the site is being used. The site was first captured by the Internet Archive's Wayback Machine in 2018.
Further compounding the vulnerability of the site, the quiz is hosted on Ubuntu Linux 14.04, which stopped receiving security patches in April last year and is potentially vulnerable to 11 known flaws.
Kottmann said, "Maybe it's worth mentioning that a whole lot of sites, including some other bigger corporations have .git [repositories] exposed on various domains."
The Register asked Deloitte and Tank Design to comment, but we've not heard back. ®
Updated to add
In a statement sent to The Register after this story was published, a spokesperson for Deloitte distanced the firm from the now-removed hacking contest site.
“We are aware of an incident that involved unauthorized access to an interactive game/website which was developed for a cybersecurity event in 2015,” the company spokesperson said.
“The platform is hosted by a third-party and is distinct from any other Deloitte system; there is no impact to any other Deloitte system. The site has not been actively used since 2015 and has now been taken down. We remain vigilant in assessing this incident and other potential cyber threats. We are deeply committed to maintaining cyber defenses that are aligned to best-in-class practices, to investing heavily in protecting confidential information, and to continually reviewing and enhancing our cyber security.”